Assessing the Risks of Contactless Technology
Courtney Radke, CISO for National Retail, Fortinet
How is contactless technology changing organizations’ security needs? For example, what do restaurant operators not know about security risks associated with contactless transactions?
Due to the very nature of how the payments are processed in a contactless model (NFC/RF, close proximity, preset transaction limits) there are far fewer risks associated with contactless payments than that of traditional payment methods, making the adoption of these technologies extremely beneficial for retailers looking to increase their payment security maturity. However, it is important to note that contactless “card not present” transactions, such as over the phone, present other risks and challenges that retailers must be aware of, including encryption requirements. For example, failure to encrypt or properly segment a VoIP connection may bring the rest of the network in scope for (or non-compliance with) PCI DSS.
Are there unique challenges to security in the cloud vs. on-premises?
In order to enable fast and agile development, including CICD, businesses have emboldened employees with an “entrepreneurial spirit” and enabled them to build and deploy technologies in the cloud to reach the customer. While the benefits are substantial, this practice of unchecked cloud expansion has also led to major security risks such as the proliferation of unsecured partner integrations and keeping legacy databases that contain sensitive customer information from ever being decommissioned. As cloud computing becomes ubiquitous, similar to virtual compute and the traditional server architecture before it, this issue, called “cloud sprawl,” is likely to become more common.
Tell us about how Fortinet works with enterprise and small business to assess security exposure and needs.
In 2015, Fortinet introduced the Cyber Threat Assessment Program (CTAP) to help organizations identify risks within their environment and better understand the value of implementing security solutions correctly. This program is quick to deploy by a customer, or a technology partner and does not impact daily operations, providing immediate insight and security strategy recommendations in an easily consumable format. With visibility into devices and applications on the network, performance bottlenecks and where existing security solutions are falling short, businesses are better equipped to prioritize efforts based on the most critical risks identified.
Tell us about the process of integrating Fortinet into a hospitality (restaurant or hotel) system.
Using dedicated ASICs, Fortinet solutions are able to provide high-performance networking and end-to-end security functions in parallel and without performance loss which allows retailers to combine multiple functions into fewer platforms. With a robust portfolio of technology alliances, called fabric partnerships, Fortinet allows businesses to gain the benefits of greater performance, security and visibility without always being forced to rip and replace their entire infrastructure in order to do so. This ability to streamline operations, gain efficiencies and reduce overall cost of running the business is, and will continue to be, a top priority for retailers.
Do you have metrics about the efficiencies and ROI that Fortinet can deliver?
Due to ongoing digital transformation initiatives and the need to continue creating omni-channel experiences to reach the customer, organizations are adopting a wide range of technologies including IoT, cloud computing and mobility. To secure these new technologies some enterprises have continued to rely on disparate point products that do not communicate, making management complex and time consuming. With enterprises maintaining an average of 32 different network and security vendors within their organization, the benefits of point product consolidation quickly become evident. Based on a conservative analysis, it is estimated that enterprises can save upwards of $3.3 million over a six-year period by adopting a security fabric approach vs. point-product.